Microsoft warns of dangerous Windows URI vulnerability

By Robert Westervelt, News Editor 11 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft late Wednesday issued a security advisory warning about a dangerous command execution vulnerability affecting users of Windows XP and Windows Server 2003 with the latest version of Internet Explorer installed.

Microsoft is continuing to track this issue through the Software Security Incident Response Process and working on a security update to resolve it. Mark Miller, director of security response communications, Microsoft

Mark Miller, director of security response communications for Microsoft said the software giant is investigating public reports of the remote code execution vulnerability. Miller said Microsoft is not aware of active attacks that try to use the reported vulnerability or of customer impact.

"Microsoft is continuing to track this issue through the Software Security Incident Response Process and working on a security update to resolve it," Miller said.

In its security advisory, Microsoft said a flaw in Windows XP and Server 2003 fails to properly validate URIs and URLs, allowing an attacker to execute arbitrary commands. If Internet Explorer 7 is installed malicious URIs may be passed through it via several third party applications like Adobe Acrobat Reader, mIRC, Mozilla Firefox, Skype or Miranda IM.

In order for an attack to be carried out, an attacker must embed a malicious URI in a Web page or email and trick the user to follow the link.

Preparing for uniform resource identifier (URI) exploits: By Michael Cobb, Contributor Most people using the Internet know what a Web address is, or at least use the term as a non-technical synonym for a URL or uniform resource locator: a string of characters used to identify a resource and a means of locating it. A URL is, in fact, a subset of uniform resource identifiers, or URIs. URIs use a defined syntax to provide a simple and extensible means for recognizing and accessing an Internet resource. The identifiers can do so without regard to the application or platform used. The URI syntax is essentially a URI scheme name, such as 'http' (Hypertext Transfer Protocol), followed by a colon and then a scheme-specific part. >>>>Read more Preparing for uniform resource identifier (URI) exploits

Additional information about the flaw can be found at the Microsoft Security Response Center blog. The response center team called the vulnerability extremely complex and said they have been studying the issue since it was first reported in July.

The vulnerability was first discovered in July by independent security researcher Billy Rios, who said on his blog that the vulnerability could be delivered through the Firefox browser.

As a result of the latest advisory, Cupertino, Calif.-based antivirus giant Symantec Corp. maintained its ThreatCon at Level 2. It was raised to Level 2 earlier in the week as a result of four updates released as part of Microsoft's monthly batch of patches to address critical vulnerabilities.

"Users are advised to be wary of any suspicious or unsolicited documents and are urged not to blindly follow any links received via email or instant messaging," Symantec said in its advisory.

Senior News Writer Bill Brenner contributed to this report.

Tags: Web Browser Security,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research Windows Security: Alerts, Updates and Best Practices New attack code targets Microsoft ActiveX zero-day vulnerability When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary